Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms

A new Bill targeting social media platforms wants stronger penalties for user privacy breaches that could see companies fined 10% of their annual turnover.

The federal government has released an exposure draft for what it has labelled an Online Privacy Bill that it hopes will enhance online privacy protections for Australians through an expansion of the nation's Privacy Act.

"The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy," the federal government wrote in the Bill's explanatory paper [PDF].

Under current legislation, the federal government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a credit reporting code.

The Bill is seeking to expand the Privacy Act to allow government to create a third code specifically for regulating three classes of organisations: Social media platforms, data brokers, and large online platforms.

The proposed online privacy (OP) code seeks to make it mandatory for social media organisations to verify users' age; obtain parental or guardian consent of a child who is under 16 years old before collecting, using, or disclosing personal information of that child; and prioritise acting in the best interests of children in their approach to handling data.

These requirements are only for the social media class of organisations as the risk they pose to children are higher than those by data brokers or large online platforms, the government said.

"The OP code will have stricter requirements for how social media platforms handle children's personal information," the government said.

According to the exposure draft of the Bill, social media platforms that fall within the code's scope include networks such as Facebook, dating apps such as Bumble, online content services such as OnlyFans, online forum sites such as Reddit, online messaging and videoconference platforms such as WhatsApp and Zoom, and gaming platforms that enable users to chat with each other.

Data brokerage organisations, meanwhile, are those that collect personal information from an individual via an electronic service other than a social media service or those that collect the personal information for the sole or primary purpose of disclosing the personal information.

"This is intended to capture organisations whose business model is based on trading in personal information collected online, or information derived from such personal information, such as data derived from rewards or loyalty programs," the explanatory paper states.

For the last category of large online platforms, these include organisations that provide electronic services and have over 2.5 million Australia users will also fall within the code's scope. This means tech giants such as Apple, Google, and Amazon, as well as media sharing platforms like Spotify would be required to follow the new code. Organisations that collect personal information as part of customer loyalty schemes are exempt from this third category, however, the government said.

The rest of the code, which would apply to all three classes of organisations, would require organisations to have measures in place that allow individuals to request for their personal information to not be used or disclosed. This requirement is not intended to amount to a "right to erasure" of the personal information, however.

The code would also impose APP requirements onto these organisations.

The Online Privacy Bill also seeks to implement stronger penalties for organisations that breach user privacy, with any breach of the code potentially resulting in a fine worth 10% of an organisation's domestic annual turnover or a AU$10 million fine. This proposed AU$10 million fine would be an increase from the current maximum penalty of AU$2.22 million.

A new criminal penalty would also be implemented for when an organisation fails to comply with the requirement to give information, or provide a document, or record when required in relation to investigations about breaches to user privacy.

In explaining how the OP code would coexist with other codes, the government said its application would prevail over the APP code in the event an organisation is subject to both codes. But if an organisation is subject to the OP and the Consumer Data Right, the Consumer Data Right rules would prevail to the extent of any inconsistency between the two codes.

The release of the Bill follows various Australian politicians in recent weeks criticising tech giants for the conduct that occurs on their platforms, from Australian Prime Minister Scott Morrison saying social media has become a coward's palace to federal Attorney-General Michaelia Cash writing to her state counterparts requesting for the country's defamation laws to be rewritten. At the same time, the Australian Competition and Consumer Commission has been investigating the conduct of digital platforms for years.

On Monday morning, Cash said the Online Privacy Bill would ensure Australians' privacy would be treated more carefully and transparently by online platforms such as social media companies.

"We know that Australians are wary about what personal information they give over to large tech companies. We are ensuring their data and privacy will protected and handled with care. Our draft legislations means that these companies will be punished heavily if they don't meet that standard," she said.

With the Bill's exposure draft now released, the federal government said the code would be co-developed with the Australian Information Commissioner and industry, and it is now seeking feedback particularly regarding the scope of organisations that would be required to comply with the OP code.

The government will be accepting submissions on the Online Privacy Bill until December 3.

Related Coverage